Académique Documents
Professionnel Documents
Culture Documents
Zhen Chen, Fuye an, !unwei Cao, and Shuo Chen "esearch #nstitute of #nformation $echnology %epartment of Computer Science & $echnologies %epartment of Automation $singhua National 'aboratory for #nformation Science and $echnology ($N'ist) $singhua *niversity, +ei,ing -.../0, 12 "2 China Abstract - Internet security problems are still a big challenge as there are many security events occurred, such as Internet worms, Spam and phishing attacks etc. Botnet, a well-organized distributed network attack, consists of a large volume of bots, which generates huge volumes of spam or launching Distributed Denial-of-Service DDoS! attacks to victim hosts. "his new emerging botnet attack makes Internet security status even worse. "o address these problems, a practical #ollaborative $etwork Security %anagement System is proposed with well deployed collaborative &"% &nified "hreat %anagement! and traffic probers. Such distributed security overlay network with a centralized Security #enter leverage a 'eer-to-'eer communication protocol used in &"%(s collaborative module and virtually interconnect them to e)change network events and security rules. *lso security functions for &"% are retrofitted to share security rules. In this paper, we propose a design and implementation of cloud based Security #enter for network security forensic analysis. +e propose to use cloud storage to keep collected traffic data and processing it with cloud computing platform to find the malicious attacks. * workable case, phishing attack forensic analysis is presented and the re,uired computing and storage resources are evaluated based on real trace data. #loud based Security #enter can instruct each collaborative &"% and prober to collect events and raw traffic, sent them back for deep analysis and to generate new security rules. "hese new security rules are enforced by collaborative &"% and the feedback events of such security rules are also returned to Security #enter. By this type of close-loop control, the #ollaborative $etwork Security %anagement System can identify and address new distributed attacks more ,uickly and effectively. Key word: #loud #omputing, -verlay $etwork, #ollaborative $etwork Security System, #omputer forensics, *nti-Botnet, *nti-'hishing, .adoop /ile System, 0ucalyptus, *mazon +eb Service.
more 0-crime attacks and abuse, such as Spams, 'hishing attack, Internet worms etc. /irewalls, Intrusion Detection System IDS! and *nti-1irus 2ateway are now widely deployed in edge-network to protect end-systems from the attacks. +hen the malicious attacks have fi)ed patterns, they can be easily identified and matching these patterns345-678. .owever, sophisticated attacks are distributed over the Internet, and have fewer characteristics and evolved ,uickly. /or e)ample, the Distributed Denial of service DDoS! contains very few, if any, signatures strings to identify. $owadays DDoS attacks are likely launched by a large volume of bots which forms a Botnet controlled by bot master. "he bots are commanded to generate attack new victim machine and enlarge botnet. "he bots also commanded to conduct other issues such as disseminating spam or launching Distributed Denial-of-Service DDoS! attacks to victim hosts. "o countermeasure botnet, secure overlay is proposed. "o prevent such distributed attacks, collaboration is a way need to be taken. #ollaborative intrusion detection system is reviewed by researches in 3498. By collaboration, the network security system could realize scalability, teamwork, and has a bigger picture of events in the whole network. +ith collaboration, an algorithm is presented to improve the alert event(s accuracy by aggregate information from different sources in 34:8. * similar alert correlation algorithm 34;8 is put forward which is based on Distributed .ash "ables D."!. "he #ollaborative $etwork Security %anagement System #$S%S! 37;8 aims to develop a new collaboration system to integrated well deployed &"% such as $etSecu 37:8. Such distributed security overlay network coordinated with a centralized Security #enter leverage a 'eer-to-'eer communication protocol used in &"%(s collaborative module and virtually interconnect them to e)change network events and security rules. #$S%S also has a huge output from operation e)perience, e.g., traffic data collected by multiple sources in different vantage point, operating reports and security events generated from different collaborative &"%s etc. *s such data is so huge and not easy to analyze in real-time mode, it need to be keep them archived for further forensic analysis. In this paper, we evaluate cloud based solution in Security #enter for traffic data forensic analysis. "he main contribution of our paper is that we propose a practical solution to collect data trace and analyze these data in parallel in a #loud #omputing platform. +e propose to use cloud storage to keep huge traffic data and processing it with cloud computing platform to find the malicious attacks. *s we already operate #ollaborative $etwork Security %anagement System which has big data output. * workable case, phishing attack forensic analysis is presented and the re,uired computing and storage resource are investigated. +e have concluded that this phishing filter functions can be effectively scale to analyze a large volume of trace data for phishing attack detection with #loud computing. "he results also show that this solution is economical for large scale forensic analysis for traffic data.
32 Collaborative Network Security Management System 2.1 System Design and Implementation
#ollaborative $etwork Security %anagement System #$S%S! 37;8 deployed in
multisite is shown in /igure <. %ultisite deployment, includes Bei=ing #apital-Info network, ID# #entury->ink, an enterprise network and a campus network, is to demonstrate the workability of our system. "hese four sites are all managed by #ollaborative $etwork Security %anagement System in Security #enter over Internet. In each site, there are several $etSecu nodes 37:8 which take charge in different network environment to adapt to different physical link respectively.
Figure -2 $he deployment of Collaborative Network Security Management System in Multisite2 During the system(s operating, the collaborative mechanism runs as we e)pected to share security events and rulesets, and new rulesets are enforced on demands as instructed by Security #enter. -perating reports from each $etSecu node and 'rober have been collected and send back to Security #enter. *lso there are a lot of network security events have been observed and recorded in the deployment, such as DDoS reflect attacks, Spam scatter and ad hoc '7' protocols etc.
Cloud based Securi ty Contr ol Cente Collaborative UTM . !attern "atc#ing r $raffic capture
Traffic Prober CD
.$raffic capture
Figure 32 $he work principle of Collaborative Network Security Management System with Cloud based Security Center2 /igure 7 illustrates the whole procedure of network security events processing. In general speaking, it is an information control cycle which divides several steps. #ollaborative &"% and 'rober acts as sensors and report the security events and traffic data to Security #enter. "he Security #enter aggregates all the events and digs into the collected traffic data. *fter a detailed analysis and with the assistance of e)pertise manager, Security #enter generates new policy or ruleset to disseminate to each collaborative &"% and 'rober for enforcement, and receive the feedback information.
most interesting part containing protocol handshakes, authentication dialogs, data items names, etc.!.
communication between these $etSecu nodes. %ore specifically, #$S%S will achieve the following ob=ectivesA
<
%>//G is the highest forwarding rate with zero packet loss <. 7. 4. 6. @. Security policy collaborative dissemination and enforcementE Security event collaborative notificationE Security ruleset dissemination, enforcement and updateE "rust infrastructureE Scalability.
*nother key function in Security #enter is the forensic analysis of the collected traffic and network security events. +e use cloud computing in Security #enter to store large volume of traffic data origin from different and conduct data analysis to generate new security ruleset as shown the step 9 in /igure 7. /or further instruct the &"% to defeat new attacks, such as botnet, we must investigate the traffic in depth and ac,uire the communication graph of botnet, and generate security rules for enforcement in &"% to suppress the communication in-between bots and bot master. *lso this is workable to resist the DDoS attack launched by Botnet. *s we e,uip the $etSecu node with open source application protocol identification and bandwidth management technology, the Security #enter can instruct the system to be a collaborative distributed traffic management system, which detects and manages the traffic collaboratively after the analysis of collected traffic in Security #enter. It could effectively improve the identification ratio of unknown botnet protocols and throttle the DDoS traffic.
keep their own botnets as small as possible not only to hide themselves but also to rent the botnets in an easy way, secondly, bots can automatically change their command and control server #I#! in order to hide and rescue themselves.
Botmaster
Bot Bo t Bo t Bo t
t
#I# Server
Figure 42 +otnet structure2 Based on overlay network, #ollaborative $etwork Security System can be used for distributed botnets suppressing system. "his system can automatically collect network traffic from every collaborative &"% in a distributed mode, and then process these collected data in Security #enter. "he detection algorithm proposed by 344-468 is based on behavior feature of botnet, the system will generate and distribute rules when botnets are detected in processing. "he most important feature of this system is its close loop control characteristics, i.e., gather the feedback events resulted from the deployed rules, process and analyze in control node, remove invalid rules to make system more efficient and reliable.
%aster node
<2bps switch
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Slave $ode
Figure 02 Cloud Storage for traffic collected with collaborative *$M2 "here are totally 6 racks of machines with @,@,6,6 in each rack. "here are <; slave nodes in total. "he topology is shown in /igure 6. *s the .adoop system is used for traffic analysis. "he traffic collected in individual collaborative &"% is aggregated, and uploaded to this cloud platform. 0ach node has an Intel four cores #'& with ;??%.z, and %emory size is 62B, and with a 7@?2 .ardDisk.
+e test the writing throughput for our .adoop system with .adoop(s "estD/SI- utility7. +e also test two scenarios where we write <; files with each size 4??%B and 49 files with each file size <??%B. "he final results are shown in "able 6.
.adoop "estD/SI- command hadoop =ar hadoop-test-<.?.<.=ar "estD/SI- -write -nr/iles <; -fileSize 4?? hadoop =ar hadoop-test-<.?.<.=ar "estD/SI- -write -nr/iles 49 -fileSize <??
"able <. "he average writing throughput of .adoop files system in cloud platform. $hroughput(M+ps) per node File Si5e6-..M+ File Si5e64..M+ 7riting -/ files in total 7riting 49 files in total -8920 M+ps -:-23 M+ps 3.32: M+ps ;.2. M+ps
3.1.2 Clo d Comp ting IaaS Platform 3.1.2.1 Clo d Comp ting based on ' calypt s
In this section, we introduce our #loud #omputing platform based on 0ucalyptus, an open-source platform by $*S* and &buntu 0nterprise cloud. /igure @ shows the 0ucalyptus #loud #omputing platform we used. *s shown in /igure <, 0ucalyptus #ompute consists of seven main components, with the cloud controller component representing the global state and interacting with all other components. *n *'I Server acts as the web services front end for the cloud controller. "he compute controller provides compute server resources, and the -b=ect Store component provides storage services. *n auth manager provides authentication and authorization services. * volume
controller provides fast and permanent block-level storage for the compute servers. * network controller provides virtual networks to enable compute servers to interact with each other and with the public network. * scheduler selects the most suitable compute controller to host an instance.
-ur computer cluster consists of four-si) heterogonous servers. 0ach server is with the following hardware parametersA <. Intel #ore 7 Juad 'rocessor with <.444 2.z /SB and 7%B cache, double
channel 62B DDG4 with <.?992.z, Intel 26< K I#.:G #hipset and Intel ;7@:6> $etwork #hipsetE 7. Dual Intel Leon@L?? series 'rocessors with Intel @???'K0SB7 chipset, 0@44? K ;2BE 4. Intel Leon @L?? series with /SB - 6.;F@.;9F9.6 2"Fs J'I Speed with Intel @@7?
K I#.<?G chipset, 762B. In 0ucalyptus(s term, there is one cloud controller, and the others are compute nodes. #loud controller acts as the computing portal, task assigner and result aggregation. "here is computing instance affiliated with each compute node. In our usage scenario, we run 6 1%
instances in each compute node, hence there about 76 running instances simultaneously. 0ach computing instance runs the pipeline divided into the following phasesA data fetcher, data processing, and posting computing results. By this method, we can achieve best working efficiency of hardware and software resource(s usage.
#loud computing platform3<@-<:8 is used for offline phishing attack forensic analysis. /irstly, our #$S%S collect the network trace data and report to Security #enter. Secondly, we have both constructed an IaaS cloud platform 37<8 and use the e)isting cloud platform such as *mazon 0#7 and S4 3<;-7?8 for comparabale reason. *ll phishing filtering operation is based on #loud #omputing platform and running in parallel with Mdivide and con,uer schemeM.
Tencent qq Cloud Computing based Forensic Analysis for Collaborative Network Security Management Systems........................................................................1 t...........9 .1 !ucalyptus.............................................................................................19 ." Ama#on A$S........................................................................................"% . !stimated t&e number of instances......................................................"1 others
"he e)perimental data is about <"B when collected in a cut-off mode in a collaborative &"%. "he data trace is still growing in the size during our e)periments.
"ime spending in different process stages in 0ucalyptus platform are measured and concluded as shown in "able 7. "able 7. "ime spending in different stage in 0ucalyptus. "#' stream reassembly &G> e)traction &G> check <@O7? <9O7? O@
It seems prefi)"ree comparison(s speed is ,uite fast and this time spending can be almost ignored. But before &G> check, it need take some time to download the 2oogle Safe Browsing signature libraries, this time spending is ,uite undetermined due to network status and 2oogle servers( response latencies. It is also needed to point out that the m<.small instance in 0#7 is memory constrained without swap partition support. It will cause problems when consuming a large volume of memory e)ceeding the memory usage limit! during trace data analysis.
stage
"able 4 "ime spending in different micro-stage in processing in *mazon 0#7. "#' stream reassembly &G> e)traction &G> check O7;: O6: <O7
"ime seconds!
#ompared with *mazon case, it seems that the #'& used in in *mazon instance has better
*ssume the time spending in a compute instance to handle a k bytes data block in stage 7!, stage 4!, and stage 6! are t<, t7, t3 in seconds! respectively. *ssume there are m collaborative &"% or prober to collect traffic data, and the average traffic throughput is f bytesFs during the last 76 hours, and the traffic cut-off factor is h. "he number of total instances L in parallel needs to handle all last 76 hours traffic is 0,. <! 0,. 7! T = t!+ t2+ t3 L = (m*f*T*h)/k calculated as followsA
L is also affected by several factors such as the percentages of .""' stream in the traffic, number of &G>s in .""' streams, user(s behavior in e)ploring web sites etc. In the 0ucalyptus(s case, we only run one instance in each physical server. *ssume mP6, f P <??%ByteFs ;??%bps! in < 2bps link, h P?.7 means 7?Q traffic is captured!, each block is 7??% Bytes, "P 6? s, then the number of physical servers or instances! in parallel is calculated as followsA L P (m*f*T*h)/k P6R<??R6?R?.7F7?? P <9 In the *mazon 0#7 case, " P 44?s, and the number of needed 0#7 m<.small instances in parallel is calculated as followsA L P (m*f*T*h)/k P6R<??R44?R?.7F7?? P <47
02 Conclusion
"he #ollaborative $etwork Security %anagement System is very useful to countermeasure distributed network attacks. Its operation resulted in big data outputs, such as network traffics, security events, etc. In this paper, we propose to use cloud computing systems to e)plore the large volume of collected data from #$S%S to track the attacking events. "raffic archiving is implemented in collaborative &"% to collect all the network trace data and the cloud computing technology is leveraged to analyze the e)perimental data in parallel. *n IaaS cloud platform is constructed with 0ucalyptus and the e)isting cloud platform such as *mazon 0#7 and S4 is also used for comparison purpose. 'hishing attack forensic analysis as a workable case is presented and the re,uired computing and storage resource are also evaluated by using real trace data. *ll phishing filtering operation is cloud-based and operated in parallel, and the processing procedure is also evaluated. "he results show that the proposed scheme is practical and can be generalized to forensic analysis of other network attacks in the future.
AC>N?7'<%@M<N$
"his work is supported by %inistry of Science and "echnology of #hina under $ational 5:4 Basic Gesearch 'rogram grants $o.7?<<#B4?7;?@, $o. 7?<<#B4?7@?@, $o.7?<7#B4<@;?<, and $o. 7?<4#B77;7?9!, and $ational $atural Science /oundation of #hina grant $o. 9<744?<9!. "his work is also support with Intel Gesearch #ouncil(s &'- program with the title of Security 1ulnerability *nalysis based on #loud 'latform with Intel I* *rchitecture.
"eferences
3<8 +... *llen, #omputer /orensics, I000 Security I 'rivacy, 1olumeA 4, IssueA 6, 'age s!A @5 - 97, 7??@. 378 %ichael * #aloyannides, $asir %emon, +ietse 1enema, Digital /orensics, I000 Security I 'rivacy, 1olumeA :, IssueA 7, 'age s!A <9 - <:, 7??5. 348 /. Gaynal, S. Berthier, '. Biondi, D. Baminsky, .oneypot forensics part IA analyzing the network, I000 Security I 'rivacy, 1olumeA 7, IssueA 6, 'age s!A :7 - :;, 7??6. 368 /. Gaynal, S. Berthier, '. Biondi, D. Baminsky, .oneypot forensics part IIA analyzing the compromised host, I000 Security I 'rivacy, 1olumeA 7, IssueA @'age s!A :: - ;?, 7??6. 3@8 $. Sklavos, $. %odovyan, 1. 2rorodetsky, -. Boufopavlou, #omputer network securityA report from %%%-*#$S, I000 Security I 'rivacy, 1olumeA 7, IssueA <, 'age s!A 65 - @7, 7??6. 398 B.D. #arrier, Digital /orensics +orks, I000 Security I 'rivacy, 1olumeA :, IssueA 7, 'age s!A 79 - 75, 7??5. 3:8 B. +ardman, 2. Shukla, 2. +arner, Identifying vulnerable websites by analysis of common strings in phishing &G>s, I000 e#rime Gesearchers Summit, 7??5. 3;8 Shu=un >i, G. Schmitz, * novel anti-phishing framework based on honeypots, I000 e#rime Gesearchers Summit, 7??5. 358 G. >ayton, '. +atters, G. Dazeley, *utomatically determining phishing campaigns using the &S#*' methodology, e#rime Gesearchers Summit e#rime!, 7?<?. 3<?8 '. Bnickerbocker, Dongting Su, Hun >i, .umboldtA * distributed phishing disruption system, e#rime Gesearchers Summit e#GI%0(?5.!, 7??5. 3<<8 *n 0mpirical *nalysis of 'hishing Blacklists, #0*S 7??5 Si)th #onference on 0mail and *ntiSpam, Huly <9-<:, 7??5, %ountain 1iew, #alifornia &S*. 3<78 2oogle Safe Browsing v7 *'I httpAFFcode.google.comFapisFsafebrowsingF 2oogle Safe Browsing v7 *'I documentationA httpAFFcode.google.comFapisFsafebrowsingFdevelopersTguideTv7.html 3<48 *'+2, httpAFFwww.apwg.orgF or httpAFFwww.antiphishing.orgFcrimeware.html 3<68 StopBadware, httpAFFstopbadware.orgF 3<@8 +eb search for a planetA the google cluster architecture, I000 %icro %arch-*pril 7??4.
3<98 San=ay 2hemawat, .oward 2obioff, and Shun-"ak >eung, "he 2oogle /ile System, &S0$IL S-S'(?4, -ctober <5-77, 7??4, Bolton >anding, $ew Sork, &S*. 3<:8 Heffrey Dean and San=ay 2hemawat, %apGeduceA Simplified Data 'rocessing on >arge #lusters, &S0$IL -SDI 7??6. 3<;8 Simson >. 2arfinkel, *n 0valuation of *mazon(s 2rid #omputing ServicesA 0#7, S4 and SJS, "echnical Geport "G-?;-?:, .arvard &niversity, 7??:. 3<58 *mazon web services, *mazon elastic compute cloud amazon ec7!, %arch <; 7?<<. httpAFFaws.amazon.comFec7 37?8 *mazon web services, *mazon simple storage service amazon s4!, %arch <; 7?<<. httpAFFaws.amazon.comFs4 37<8 0ucalyptus, open source #loud #omputing platform 0ucalyptus-novaE httpsAFFlaunchpad.netFnova 0ucalyptus-swfitE httpsAFFlaunchpad.netFswift 0ucalyptus-glanceE httpsAFFlaunchpad.netFglance 3778 2regor %aier, Gobin Sommer, .olger Dreger, 1ern 'a)son, 0nriching network security analysis with time travel, Sigcomm 7??;. 3748 "#'trace and "#'D&%', httpAFFwww.tcptrace.orgF and httpAFFwww.tcpdump.orgF. 3768 B. "homas, #. 2rier, H. %a, 1. 'a)son and D. Song, %onarchA 'roviding Geal-"ime &G> Spam /iltering as a Service, to be appeared in 'roc. I000 Symposium on Security and 'rivacy, %ay 7?<<. 37@8 Hun >i, Shuai Ding, %ing Lu, /uye .an, Lin 2uan, Uhen #hen. "I/*A 0nabling Geal"ime Juerying and Storage of %assive Stream Data, <st International #onference on $etworking and Distributed #omputing I#$D#!, 7?<<. 3798 Uhen #hen, Li Shi, >ing-Sun Guan, /eng Lie and Hun >i, .igh Speed "raffic *rchiving System for /low 2ranularity Storage and Juerying, I###$ 7?<7 workshop on '%0#". 37:8 Linming #hen, Beipeng %u, Uhen #hen, $etSecuA * #ollaborative $etwork Security 'latform for in-network Security. 'roc. of the 4rd International #onference on #ommunications and %obile #omputing #%#!, 7?<<. 37;8 Beipeng %u, Linming #hen, Uhen #hen, * #ollaborative $etwork Security %anagement System in %etropolitan *rea $etwork. 'roc. of the 4rd International #onference on #ommunications and %obile #omputing #%#!, 7?<<. 3758 'eter Desnoyers and 'rashant Shenoy, .yperionA .igh 1olume Stream *rchival for Getrospective Juerying, &S0$IL *nnual "echnical #onference 7??:. 34?8 Stefan Borne)l, 1ern 'a)son, .olger Dreger, *n=a /eldmann, Gobin Sommer, Building a "ime %achine for 0fficient Gecording and Getrieval of .igh-1olume $etwork "raffic, I%# 7??@. 34<8 2. %aier, G. Sommer, .. Dreger, *. /eldmann, 1. 'a)son, and /. Schneider, 0nriching $etwork Security *nalysis with "ime "ravel. In 'roc. *#% SI2#-%%, Seattle, +*, *ug. 7??;. 3478 >. Deri, 1. >orenzetti, and S. %ortimer, #ollection and e)ploration of large data monitoring sets using bitmap databases, "rac %onitoring and *nalysis, Han 7?<?.
3448 /uye .an, Uhen #hen, .ongfeng Lu and Song >iang, * #ollaborative Botnets Suppression System Based on -verlay $etwork, the special issue of the International Hournal of Security and $etworks, 1o. :, $o. 6, 7?<7. 3468 /uye .an, Uhen #hen, .ongfeng Lu and Song >iang, 2arlicA * Distributed Botnets Suppression System. 'roc. of the I000 I#D#S, the /irst International +orkshop on $etwork /orensics, Security and 'rivacy $/S'!, 7?<7. 'hishing attack 34@8 "ianyang >i, /uye .an, Shuai Ding, Uhen #hen, >*GLA >arge-scale *nti-phishing by Getrospective Data-0)ploring Based on a #loud #omputing 'latform. I###$ 2rid'eer workshop, 7?<<. 3498 G. Bye, S. *. #amtepe, and S. *lbayrak, #ollaborative intrusion detection frameworkA #haracteristics, adversarial opportunities and countermeasures, in 'roceedings of &S0$IL Symposium on $etworked Systems Design and Implementation, *pril 7??:. 34:8 /. #uppens and *. %ige, *lert correlation in a cooperative intrusion detection framework, I000 Symposium on Security and 'rivacy, 7??7. 34;8 *. .ofmann, I. Dedinski, B. Sick, and .. de %eer, * novelty driven approach to intrusion alert correlation based on distributed hash tables, I000 I##(s 7??:. 3458 Donghua Guan and Uhen #hen et al., .andling .igh Speed "raffic %easurement &sing $etwork 'rocessors, I##" 7??9. 36?8 Hia $i, Uhen #hen et al., * /ast %ulti-pattern %atching *lgorithm for Deep 'acket Inspection on a $etwork 'rocessor, I#'' 7??:. 36<8 Uhen #hen et al., *nti+orm $'&-based 'arallel Bloom filters in 2iga-0thernet >*$, I000 I##(7??9. 3678 Uhen #hen et al., *nti+orm $'&-based 'arallel Bloom filters for "#'-I' #ontent 'rocessing in 2iga-0thernet >*$, I000 >#$ +o$S7??@.